CVE-2026-40020 Overview
CVE-2026-40020 is an access control vulnerability in Dovecot, the open-source Internet Message Access Protocol (IMAP) and Post Office Protocol (POP3) server maintained by Open-Xchange. An authenticated attacker can issue the IMAP SETACL command to inject the anyone permission into a user's dovecot-acl file, even when the server is configured with imap_acl_allow_anyone=no. The configuration directive intended to block this behavior fails to enforce the restriction, allowing folder sharing to all users on the system. The impact is limited to spamming folders to other users and does not grant unexpected read or write access to mailbox contents [CWE-284].
Critical Impact
Authenticated IMAP users can bypass the imap_acl_allow_anyone=no setting to share arbitrary folders with every user on the server, enabling folder-spam abuse.
Affected Products
- Open-Xchange Dovecot (versions prior to the fixed release referenced in advisory oxdc-adv-2026-0002)
- Dovecot deployments with the ACL plugin enabled
- Mail systems relying on imap_acl_allow_anyone=no to restrict folder sharing
Discovery Timeline
- 2026-05-12 - CVE-2026-40020 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-40020
Vulnerability Analysis
The flaw resides in Dovecot's IMAP ACL plugin, which implements RFC 4314 access control list semantics. The plugin exposes the SETACL command, allowing mailbox owners to grant rights to specific identifiers including the special anyone identifier that represents all authenticated users. Administrators can disable assignment of the anyone identifier by setting imap_acl_allow_anyone=no in the Dovecot configuration. The vulnerability arises because the server fails to validate this configuration directive when processing SETACL commands containing the anyone identifier. As a result, the rights are written to the user's dovecot-acl file regardless of the policy setting. The functional consequence is that every authenticated user on the mail server can subscribe to or see the shared folder, enabling unsolicited folder broadcasts.
Root Cause
The root cause is improper access control enforcement [CWE-284] within the IMAP ACL command handler. The configuration check for imap_acl_allow_anyone is either missing or bypassed in the code path that persists ACL entries to disk. The server accepts the SETACL request, updates the per-user dovecot-acl file, and returns a successful response without rejecting the prohibited identifier.
Attack Vector
An attacker must hold valid IMAP credentials on the target Dovecot server. After authenticating, the attacker issues a SETACL command against a mailbox they own, specifying the anyone identifier and the rights they wish to propagate. The injected ACL entry causes the folder to become visible or subscribable to all users on the server, which can be used to push unwanted content into other users' mailbox listings. No additional privileges, user interaction, or chained exploits are required, though the attack complexity is rated high because preconditions on mailbox state must be met. The vulnerability does not grant the attacker access to other users' messages.
Detection Methods for CVE-2026-40020
Indicators of Compromise
- Entries containing the anyone identifier inside per-user dovecot-acl files on servers configured with imap_acl_allow_anyone=no.
- IMAP protocol logs showing SETACL commands that specify the anyone or anonymous identifier.
- User reports of unfamiliar shared folders appearing in their mailbox folder list.
Detection Strategies
- Enable IMAP command logging in Dovecot and alert on any SETACL command referencing the anyone identifier when the policy is set to deny it.
- Run periodic filesystem audits across mail storage to detect dovecot-acl files that contain the anyone identifier.
- Correlate spikes in folder subscriptions across multiple user accounts to a single originating mailbox owner.
Monitoring Recommendations
- Forward Dovecot logs to a centralized logging or SIEM platform and build a detection for ACL modification events.
- Monitor authentication logs for IMAP sessions that issue ACL administrative commands outside of normal user behavior.
- Track creation of new shared namespaces or folders that propagate to large numbers of users in a short time window.
How to Mitigate CVE-2026-40020
Immediate Actions Required
- Upgrade Dovecot to the fixed version identified in the Open-Xchange Security Advisory.
- Audit existing dovecot-acl files for unauthorized anyone entries and remove them.
- Notify users to report any unexpected shared folders so administrators can investigate the source mailbox.
Patch Information
Open-Xchange has published the fix in advisory oxdc-adv-2026-0002. Administrators should install the patched Dovecot release referenced in the advisory. No publicly available exploits are known at the time of publication.
Workarounds
- Disable the IMAP ACL plugin entirely if shared folder functionality is not required in the deployment.
- Restrict IMAP access to trusted user populations using network-layer controls until the patched release is deployed.
- Periodically scan and prune dovecot-acl files for anyone identifiers as a compensating control.
# Configuration example: audit dovecot-acl files for anyone entries
find /var/mail -name 'dovecot-acl' -exec grep -lE '^anyone|^anonymous' {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
